Generate OpenSSL Certificates for nginx Win, Linux and Mac

OpenSSL can be used to create your own web server certificates for use with nginx or Apache. In this guide I show you how to create an SSL certificate using OpenSSL and configure your web server nginx to use the https protocol. I needed SSL certificates for use with reverse proxies for Sabnzbd, NZBGet, Sonarr, SickRage, CouchPotato and others. I managed to get OpenSSL generating certificates on Windows, Mac and Linux so I have consolidated them all into this guide as opposed to making separate posts – feedback on whether this was a good idea or not is welcome in the comments.

Generate OpenSSL Certificates for nginx

I will assume you have already installed nginx already. If you haven’t you can use this Windows, Mac or Linux guide – though you can also install it on Mac with Homebrew which is much easier, however the paths will be different and you will have to adjust them accordingly in this guide. This guide does not help you create SSL certficates from a Certified Authority so you will get warnings that the SSL certificate is not trusted – however, there is no reason not to trust a certificate that you have created yourself! However if you do want an official certificate you can get one for free from StartSSL that you will have to renew each year.

OpenSSL on Linux

On Linux it couldn’t be easier, this works on Debian, Ubuntu, Raspbian and should work on any debian based system

sudo apt-get install openssl -y

Create the SSL Certificate with OpenSSL

A quick explanation about the best encryption. Other guides use des which is outdated and slow (Source). AES encryption has won awards for its strength, your home router is capable of AES encryption. There is a quick overview of AES encryption types. We will be using RSA which is also a respectable encryption method.

Open a command prompt for Windows or terminal for Mac and Linux

On Linux or Mac create an SSL directory

sudo mkdir -p /etc/nginx/ssl

Now to create the actual SSL certificates, it will last 36500 days and have rsa 2048 bit encryption. The nodes switch means we don’t have to enter the server key’s password each time you connect to the nginx web server.

On all operating systems you will be prompted for some information, you can leave them all blank if you like

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: DK
State or Province Name (full name) [Some-State]: Utopia
Locality Name (eg, city) []: Gotham
Organization Name (eg, company) [Internet Widgits Pty Ltd]: HTPC Guides
Organizational Unit Name (eg, section) []: Admin
Common Name (e.g. server FQDN or YOUR name) []: HTPCGuides.com
Email Address []: admin@htpcguides.com

Now you can actually configure nginx to use the SSL certificates

Configure nginx with SSL

Configure nginx to use SSL with Mac and Linux

Open the Linux nginx configuration file, adjust reverse if your file is different

sudo nano /etc/nginx/sites-available/reverse

On Mac following my nginx installation guide open the configuration file which should be in one of these locations, the 2nd is for nginx installation using homebrew

Open up a command prompt with Administrator privileges and paste these commands

cd c:\nginx-1.6.2
nginx -s reload

That should do it, now you can access the nginx web server at https://ip.address and you should see your web site or the default nginx page.

When you do open it you will see some warnings which you have to click past. The reason you get these warnings is because you created the certificate yourself and did not acquire it from a Certified Authority (CA). This is how to store the certificates you just created in your browser so the warning disappears for your personal site. If you ever get this warning when trying to visit a commercial website you should check your computer for viruses and malware.

In Chrome you need to click Show advanced and Proceed to ip.address (unsafe)

Archives

Archives

DISCLAIMER

The information on HTPC Guides is for educational purposes and only condones obtaining public domain content. HTPC Guides is not responsible for content from any other site or provider. By using the links provided on this site you agree that neither this site nor its proprietor is in any way responsible for any damages or liability arising from use of external content.

Copyright

The information on this site is the intellectual property of the owner. Credit to other sources is provided where relevant. If you believe any information has not been sourced, please leave a comment and appropriate action will be taken.